Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work
Benjamin Kaduk
kaduk at MIT.EDU
Fri Mar 13 11:53:44 EDT 2015
On Fri, 13 Mar 2015, Robert Wehn wrote:
> - - klist
> -> TGT for jane at REALM
> BUT!
> -> localuser can still access alice's files
> -> localuser can never access jane's files
> -> no new NFS service ticket fetched or needed till the end
> of the ticket lifetime
>
> What doesn't help:
> - - logout and login as localuser
> - - restart gssd
>
> What helps:
> - - Unmount NFS, remount.
>
> The NFS client part of the linux-kernel seems to cache the NFS service
> tickets used for every combination local UID and mounted filesystem.
I don't actually run any NFSv4 myself, but my understanding from
IRC/mailing lists is that the caching has a TTL of roughly a couple hours.
See Brandon's response as well, but from a security perspective, the
kernel NFS implementation is wrong to cache things for so long, especially
without providing a way to invalidate a cached entry.
-Ben Kaduk
More information about the Kerberos
mailing list